| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| gogs_v0.14.3_linux_amd64.tar.gz | 2026-06-07 | 41.3 MB | |
| gogs_v0.14.3_linux_amd64.zip | 2026-06-07 | 41.3 MB | |
| gogs_v0.14.3_linux_arm64.tar.gz | 2026-06-07 | 39.1 MB | |
| gogs_v0.14.3_linux_386.tar.gz | 2026-06-07 | 40.1 MB | |
| gogs_v0.14.3_linux_386.zip | 2026-06-07 | 40.1 MB | |
| gogs_v0.14.3_linux_arm64.zip | 2026-06-07 | 39.1 MB | |
| gogs_v0.14.3_windows_amd64.zip | 2026-06-07 | 41.7 MB | |
| gogs_v0.14.3_windows_amd64_mws.zip | 2026-06-07 | 41.8 MB | |
| gogs_v0.14.3_darwin_amd64.zip | 2026-06-07 | 42.5 MB | |
| gogs_v0.14.3_darwin_arm64.zip | 2026-06-07 | 41.2 MB | |
| gogs_v0.14.3_windows_arm64.zip | 2026-06-07 | 39.3 MB | |
| gogs_v0.14.3_windows_386_mws.zip | 2026-06-07 | 40.8 MB | |
| gogs_v0.14.3_windows_386.zip | 2026-06-07 | 40.8 MB | |
| gogs_v0.14.3_windows_arm64_mws.zip | 2026-06-07 | 39.3 MB | |
| 0.14.3 source code.tar.gz | 2026-06-07 | 14.3 MB | |
| 0.14.3 source code.zip | 2026-06-07 | 15.5 MB | |
| README.md | 2026-06-07 | 11.0 kB | |
| Totals: 17 Items | 598.2 MB | 3 | |
Fixed
- Security: Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in
[auth] TRUSTED_PROXY_IPS. #8264 - GHSA-w6j9-vw59-27wv - Security: Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. #8263 - GHSA-c4v7-xg93-qf8g
- Security: Denial of service when rendering issue references against a malformed external issue tracker URL format. #8312 - GHSA-4j89-2c4f-44c6
- Security: Stored XSS in Jupyter notebook (
.ipynb) preview through Markdown links withjavascript:URLs. #8319 - GHSA-jq8v-rmf6-65jw - Security: Missing authorization check on the attachment download endpoint allowed anyone who knew (or guessed) an attachment UUID to download files belonging to private repositories. #8320 - GHSA-p9f5-h3rx-j5qw
- Security: Organization team and member management actions accepted GET requests, allowing a logged-in owner to be tricked into adding an attacker to the Owners team via a crafted link. #8321 - GHSA-pwx3-qcgw-vh7h
- Security: SSRF via mirror address update bypassing clone address validation. #8225 - GHSA-wv27-2vqp-j7g5
- Security: Open redirect on login and other post-action flows via the
redirect_toquery parameter. #8322 - GHSA-xxhq-69mf-w8cr - Security: Privilege escalation to repository owner via collaboration access mode update. #8227 - GHSA-4565-r4x7-hg8j
- Security: SSRF in repository migration and recurring mirror sync via HTTP redirects and stale host validation on stored mirror URLs. #8324 - GHSA-g2f5-gjr4-qjvm
- Security: Remote command execution via pull request rebase merges with crafted branch names. #8301 - GHSA-qf6p-p7ww-cwr9
- Security: Stored XSS in the milestone dropdown on the new issue page via crafted milestone names. #8325 - GHSA-vcm5-gvmp-78mp
- Security: Stored XSS in Jupyter notebook (
.ipynb) preview throughdata:text/htmlURIs that bypassed the sanitizer. #8326 - GHSA-3w28-36p9-w929 - Security: Write-level collaborators could change admin-only repository settings (issue tracker, wiki, mirror sync) via API. #8327 - GHSA-268j-37xf-pp52
- Security: Password reset tokens stayed valid for the account-activation lifetime, ignoring
[auth] RESET_PASSWORD_CODE_LIVES. #8328 - GHSA-5c3f-6486-3g7g - Security: Stored XSS in Jupyter notebook (
.ipynb) preview through raw HTML in markdown cells. #8330 - GHSA-6vxv-wg6j-5qwp - Security: Read-only Git HTTP access could be confused with write access during repository pushes. #8331 - GHSA-wmfg-5p4h-5fw3
- Security: Arbitrary file write outside the repository working tree via crafted upload filename routed through a committed directory symlink. #8332 - GHSA-89mr-xqfv-758m
- Security: Cross-repository disclosure of Git LFS object contents by binding a known OID to another repository without proving possession of the bytes. #8333 - GHSA-6p9m-q3jp-47h4
- Security: Remote code execution via path traversal in organization names accepted through the API. #8334 - GHSA-c39w-43gm-34h5
- Security: Stalled SSH handshakes pinned a file descriptor and goroutine indefinitely. The built-in SSH server now drops connections that do not complete the handshake within 15 seconds. #8335 - GHSA-xp79-5mx3-jx52
- Security: Organization metadata and team list endpoints were reachable without authentication. #8336 - GHSA-744x-3838-5r56